Technology Purchasing & Acquisition

Approved: November 23, 2015

Foundation/Philosophy Statement

The use of technology in pedagogical settings has evolved at a rapid pace over the past decade. The internet continues to offer unprecedented access to educational content, services, and information. As a result, some services have transitioned from being hosted on campus, to cloud-based offerings in which the hardware, software or content do not reside on campus. The purpose of this policy is to strike a balance between the need to enable campus community to take advantage of rich content available in the cloud and protecting sensitive student and employee information.

Definitions

Third Party Relationship: Any agreement, formal or informal, to utilize services, products, or content that is not generated by the University of Wisconsin-Whitewater and/or is hosted on off-campus servers.

Authentication: Any process by which a system verifies the identity of a user, typically though a username/email address and password.

Credentials: Personalized login information required to access a secure service or system, typically a username and password combination. (Note: campus credential refers to the Net-ID and password combination, unique to each individual, used to access campus IT-related services).

Vendor Relationships

Third-party entities that require authentication and/or registration to use a service or to view content, exercise data collection practices, and/or track users in any way, may advertently, or inadvertently collect sensitive or restricted information as the result of user activity or system design. Entering into any agreement or relationship to utilize third-party services, products, and/or content that requires the use of campus data or credentials, has the potential to elevate IT security risk for the campus and/or for the individual user. UW-Whitewater has a robust technology infrastructure that enables safe and secure authentication process for cloud-based services for students and employees. Examples of secure third-party cloud based services currently offered on campus include:

Google Drive

Lynda.com

WebEx

Policy Statement

ICIT, and other campus offices with applicable data custodianship responsibilities, must be made aware, prior to acquisition, of intentions to procure any third party digital services, products, and/or content that require the use of campus IT infrastructure or campus data, and/or directs users to share personal information prior to acquisition.

Scenarios in which ICIT does not need to be consulted:

Systems created and sanctioned by UW-Whitewater faculty or staff that do not utilize sensitive data (social security numbers, student IDs, Etc.) and do not use third-party networks or IT infrastructure.

Personally identifiable data includes photos and videos of the user. Utilizing systems in which the user can choose or create their own username and password combination (e.g. - distinct from Net-ID/password).

Utilizing campus email addresses to set up third-party accounts is acceptable, when the chosen password is different from the password utilized to access campus services.

Signing up for individual accounts or subscriptions used for the sole benefit of the individual user (e.g. -not compelling others to sign up for a service).

Username/Password Best Practices

Users should never utilize their campus Net-ID and password combination as a username/password for a third party offering, unless access is approved by ICIT.

Third Party Email Communications

When a University-issued email address is provided to a third party, whether it is required or voluntarily submitted, the user may receive emails from that third party (i.e. marketing emails, password reset emails, etc.). It is the responsibility of the Office(s) or Department(s) acquiring the third party service to be aware of the volume and the extent of the email communications that will be received by the third party service provider. ICIT will not actively prevent third party emails from reaching their intended recipients unless the emails are deemed potentially harmful to the campus network.